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REPORT OF INSPECTION 
CIA INFORMATION SECURITY PROGRAM 


GENERAL 

A. Authority: Executive Order 12065, Section 5-202 (a) 
and (h) 

B. Date r" August 1 'and 2, 1979'' 


C. ISOO Representatives: Harold Mason and John Cornett, 
Program Analysts. 

D. Purpose: To make an initial evaluation of agency 
actions to implement Executive Order 12065 and 
ISOO Directive No. 1. 

E. Prinicipal Contacts: See enclosure 1 

F. Method: Discussion with agency personnel and review 
of CIA classified holdings in accordance with proce- 
dures in enclosure 2. 


II. FINDINGS 

A. GENERAL RESPONSIBILITIES : 

One of the basic measures of compliance with the 
Order and Directive is the degree to which an 
agency has fulfilled the general responsibilities, 
applicable to all agencies which originate or 
handle classified information, outlined in Section 
5-4 of the Order. A summary of actions by the 
CIA staff in this regard follows. 

1. (5-401/402). An unclassified agency information 
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security regulation and unclassified guidelines 
for systematic declassification review had been 
developed and issued. They had not been published 
in the Federal Register. Although the guidelines 
had been approved by ISOO, the regulation had not 
(i.e., ISOO had recommended changes, but the 
changes had not been implemented) . 

2. (5-403). Four classified classification guides, 
with a total distribution of 3,431 copies, had 
been published. The guides were in detail and 
in the format prescribed by ISOO Directive No. 

1, Para. II D. 

3. (5-404 (a) and (b) ) . The Deputy Director for 
Administration had been designated to oversee 
the agency program and to chair an agency 

committee to act on suggestions and compliants 

» 

concerning the agency's information security 
program. 

4. (5-404 (c) ) . There was in being a process for 
deciding appeals from denials of mandatory 
declassification review requests. 

5. (5-404 (d) ) . There had been aggressive action 
to familiarize all agency personnel with the 
Order and Directive. Initial orientation, 
consisting of an excellent tape-slide presenta- 
tion with a question/answer period, was presented 
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in 52 sessions prior to the effective date of 
the Order. In addition, information security 
packages have been included in various internal 
agency training programs. 

6. (5-404 (e)). See II A 1 above. 

7. (5-404 (f)). The CIA mission requires that all 
employees be subjects of a favorable full field 
background investigation and a polygraph examin 
ation. Although clearances are granted on a 
"blanket" basis, access to specific information 
is controlled, primarily through the Sensitive 
Compar tmented Intelligence Information Programs. 

8. (5-404 (g) ) . Safeguarding practices are systemat- 
ically reviewed with a view toward simplicity 
and improvement. For example, a recent review 

of problems associated with protecting the large 
number of documents held by the agency resulted 
in a "Sensitive Document Control Program". As * 
a result of this certain documents, selected at 
operating official level, are stored separately 
and must be personnally accounted for by 
designated officials. 

B. CLASSIFICATION 

1. The total number of CIA personnel who posses 
original classification authority is 1629 
(TS-430, S-1169 and C-21) — a decrease of 74 
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from the number reported in mid-1978. Positions 

to which original classification authority is 
delegated are designated by memorandum. Addi- 
tionally, inci^brp^nts of these positions are 
subjects of a formal personnel action designating 
them as an authorized classifier. A listing of 
all authorized classifiers, by name, title, 
employee number, and classification level is 
published periodically. The list is classified 
Secret because of the association of names with 
employee numbers for those personnel under cover. 
The ISOO representatives were not authorized to 
review this listing as a whole, but were allowed 
to review specific names of those personnel not 
under cover. In an effort to control derivative 
classification, a similar system is used to 
designate those persons who are authorized to 
apply derivative markings. 

2. A total of approximately 150 agency originated 

classified documents of all classification levels, 
collateral and Sensitive Compartmented Intelligence 
Information (SCII) , were reviewed in the various 
offices visited. In no case did a document appear 
to be over-classified. Classification markings 
were proper except that in a very few cases 
documents were not portion marked. In most cases 
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observed, documents were marked as derivatively 
classified with a CIA Classification Guide as 
the source. (Source citations were checked 
against guides and in all cases were found to 
be appropriate). Most documents were marked 
for declas-sif ication review at the 20 year mark; 
those originally classified almost exclusively 
used "sources and methods" as the basis for 
extension beyond 6 years. Only a few observed 
were marked for automatic declassification at 
the 6 year mark. Some area studies and personality 
studies were marked with a review date of 6 years. 

C . DE CLASSIFICATION 

Sys tematic Review ; The agency has given special 
attention to systematic review of records for 
declassification: there is operating under the 

Chief, Information Security Staff, a Classification 
Review Division with 30 full-time agency personnel, 
15 part-time annuitants (total authorization is 
39 full time personnel) and a budget of $1.2 
million for FY 80. Material for systematic review 
comes from present agency holdings of approximately 
45 million pages plus an equal amount estimated to 
be created in the next ten years. There was no 
estimate regarding how much of this (90 million 
pages) will be designated as permanent records and 
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thus subject to review under E. O. 12065. 

Although review of 200 cu. ft. of predecessor 
agency (WWII OSS) records resulted in over 90% 
being declassified and accessioned to NARS, 
review of post-VTWIT records has so far resulted 
in retention of classification in approximately 
90% of the cases. (One reason for this high 
percentage is that CIA files are normally cut 
off of project, rather than a given date; 
accordingly some material being reviewed is 
relatively current) . Although a low percentage 
of documents are declassified, a considerable 
number are downgraded to Confidential, thus 
reducing storage and handling requirements. 
Records of decisions to continue classification 

are computerized, facilitating the administrative 

» 

action of certifying continued classification by 
the Director as well as retrieval from file. 

After review, documents, including those declass- 
ified, are returned to the agency records storage 
area. 

2. Mandatory Revie w; All requests for release of 
information, whether submitted under FOIA, 

Privacy Act, or E. O. 12065, are handled by the 
Information and Privacy Division (with a staff 
of 23) on a "first in-first out" basis regardless 
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of the time limits imposed by statute or Executive 

Order. The procedure established for processing 

a request is: 

1. Determine if the request meets the 
requirements. ■, 

2. Notify the requester that the request has 
been' received and is being processed. 

3. Send the request to the Directorate with 
subject matter interest. 

4. Follow-up the request, if not received from 
the Directorate, within an established 
period of time. 

5. After the review has been completed, the 
agency sends a letter to the requester 
along with releaseable information. If 
the request is denied, the requester is 
advised of his rights. 

It is estimated that it takes 116 staff years annually to 
process requests. The total backlog is considerable, e.g., 
the Division Chief estimated that even if no new requests 
were received it would take 18-24 months -to process 
requests presently on hand. Time limits for processing 
requests under E. 0. 12065 are not being met; in fact, 
letters acknowledging receipt of a requests frankly state 
this and advise the requester of his right to appeal on 
that basis. Appeals are handled administratively in the 

Approved For Release 2002/01/08 : CIA-RDP85B00236R000200150023-2 



STATINTL 


Approved For R5W^se 2002/01/08 : CIA-RDP85BOO236R<Jfl02OO1 50023-2 

same manner as requests and the same problems apply. There 
appears to be little that can be done to speed the process, 
given the requirement for detailed review and coordination 
to protect intelligence sources and methods. 

D. SAFEGUARDING . The CIA is in compliance with all 

^ safeguarding procedures established under the Order. 

They have Top Secret control offices in all Director- 
ates and conduct inventory of Top Secret documents on 
an annual basis. Top ,Secret, codeword and compar tmented 
information is stored in security containers located 
within vaulted areas and access is restricted to 
personnel on a need-to-know basis. They have also 
adopted a sensitive document control program with 
strict accountability for particularly sensitive 
documents . 


III. KUDOS 

A. The agency Information Security Program Handbook 

although requiring some changes and 
additions in the opinion of ISOO, is an excellent 
publication and a credit to its authors. 

B. Personnel of the agency with whom the program was 
discussed indicated an in-depth knowledge of both 
the mechanics and the philosophy of the information 
security program. 

C. The use of Agency Classification Guides was evident 
in all components where files were reviewed. 
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IV. CONCLUSIONS 

The Central Intelligence Agency appears dedicated in their 
desire to fully comply with the provisions of the Order. 
Officials interviewed were thoroughly knowledgeable with 
the Order and implementing directive, and sincere is their 
desire to adhere to, the information security program. 

V. RECOMMENDATIONS 

Based upon findings above, ISOO recommends that CIA: 

1. Expedite publication, of their agency regulations 
in the Federal Register . 

2. Expedite publication of their systematic review 
guidelines in the Federal Register . 

3. Provide a copy of the ISOO report to the Chief, 
Information Services Staff. 

Enclosures: 

1. Review Itinerary 

2. CIA procedure for access to classified information 
by ISOO personnel 

DRAFTER: HMason/JCornett/yh 
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